b'                  MEMORANDUM REPORT 01-IT-M-082 - REDACTED\n                 Senior Management Attention Needed to Ensure Effective\n            Implementation of the Government Information Security Reform Act\n                                     September 2001\n\n\n        In response to the Government Information Security Reform Act (GISRA), Public Law\n106-398, the Office of Inspector General (OIG) performed an independent evaluation of the\ninformation security program and practices of the Department of State (Department). The\nGovernment Information Security Reform Act provides: (1) a comprehensive framework for\nestablishing and ensuring the effectiveness of controls over information resources; and (2) a\nmechanism for improved oversight of Federal agency information security programs. The\nobjective of our review was to determine whether the Department is effectively implementing\nkey requirements of GISRA, including those pertaining to security planning and risk\nmanagement, information security roles and responsibilities, training, and performance\nmeasures.\n\nRESULTS IN BRIEF\n\n        OIG\xe2\x80\x99s evaluation of the effectiveness of the Department\xe2\x80\x99s information security program\nfound mixed results. Specifically, OIG concluded that information security weaknesses continue\nto threaten Department operations, both here and abroad. Both OIG and Bureau of Diplomatic\nSecurity (DS) evaluation reports over the past 2 years identified weak information security\nmanagement practices at dozens of overseas posts. For example, only 10 of the 35 posts in one\ngeographic region reviewed by OIG security teams in 1999 and 2000 were reported to have\nadequate information security procedures in place. Further, according to OIG\xe2\x80\x99s survey\nquestionnaire, although 59 percent of the Department\xe2\x80\x99s 371 systems are reported to have risk\nassessments, only 10 percent are reported to have security plans, as required by GISRA.\n\n        On the other hand, the Department has made progress in implementing a key GISRA\nprovision\xe2\x80\x94establishing the agency\xe2\x80\x99s Chief Information Officer (CIO) as the central management\nfocal point for information security activities. In mid-August 2001, OIG provided the\nDepartment a draft of this report, which discussed our concern at that time that the Department\xe2\x80\x99s\nsenior leadership had not agreed on what functional and organizational changes needed to be\nmade to comply with the law. In response to the draft report, the Under Secretary for\nManagement promptly reassessed the relative senior management roles and responsibilities of\nthe Bureau of Information Resource Management (IRM) and DS in managing information\nsecurity and directed actions consistent with GISRA requirements. Specifically, on August 20,\n2001, on the recommendation of the Under Secretary for Management, the Deputy Secretary\nissued a Delegation of Authority to the CIO to administer the Department\xe2\x80\x99s information security\nprogram. The CIO\xe2\x80\x99s new role as the administrator of this program establishes the central\nmanagement focus on information security that is required by the law and puts the Department in\na better posture to protect its information technology assets from security risks. In its response to\nOIG\xe2\x80\x99s draft report, the Department stated that it believes that its actions will resolve the issues\nraised in the report, while recognizing that a number of details implementing the changes remain\nto be worked out over a 30-day period.\n\x0c        Although the Department has not developed performance measures for its information\nsecurity program, which are required by both GISRA and the Government Performance and\nResults Act (Public Law 103-62), in response to a draft of this report, the Under Secretary for\nManagement\xe2\x80\x99s office said that by October 15, 2001, IRM, working with DS, will develop\nmeasurable and meaningful performance measures for the Department\xe2\x80\x99s information security\nprogram. This is important because without useable performance measures, the Department is\nunable to assess the adequacy and effectiveness of information security policies and procedures.\nFurther, it is hindered in its efforts to implement a results-based information security\nmanagement program.\n\nBACKGROUND\n\n        Information security is an important goal for any organization that depends on\ninformation systems and computer networks to carry out its mission. The dramatic expansion in\ncomputer interconnectivity and the rapid increase in the use of the Internet are changing the way\nour government, the nation, and much of the world communicate and conduct business.\nHowever, without proper safeguards, these developments pose enormous risks that make it easier\nfor people and groups with malicious intent to intrude into inadequately protected systems and\nuse such access to obtain sensitive information, commit fraud, disrupt operations, or launch\nattacks against other computer networks and systems. Further, the number of people with\ncomputer skills is increasing, and intrusion techniques and tools are readily available and\nrelatively easy to use. The rash of cyber attacks launched in February 2000 against major U.S.\nfirms and the global disruption caused by the \xe2\x80\x9cILOVEYOU\xe2\x80\x9d virus in May 2000 illustrate the\nrisks associated with this new electronic age.\n\n         Computer-supported government operations, including those at the Department, are also\nat risk. Previous OIG and DS reports have identified persistent computer security weaknesses\nthat place a variety of critical and mission-essential Department operations at risk of disruption,\nfraud, and unauthorized disclosure. The Department has been able to close four material\nweaknesses previously reported under the Federal Manager\xe2\x80\x99s Financial Integrity Act of 1982\n(Public Law 97-255), and it has been able to close all recommended actions resulting from a\n1998 General Accounting Office (GAO) audit of information security (GAO 98-145). However,\nthe Department recognizes that much more must be done to develop fully and ensure continuity\nof its Systems Security Program.\n\n        Faced with growing concerns about information security risks to the Federal\nGovernment, the Congress passed and the President signed GISRA into law in late 2000.\nGISRA provides: (1) a comprehensive framework for establishing and ensuring the effectiveness\nof controls over information resources that support Federal operations and assets; and (2) a\nmechanism for improved oversight of Federal agency information security programs.\nSpecifically, GISRA requires agencies to:\n\n   \xe2\x80\xa2   identify, use, and share best security practices;\n   \xe2\x80\xa2   develop an agency-wide information security plan;\n\n\n                                                 2\n\x0c    \xe2\x80\xa2   incorporate information security principles and practices throughout the life cycles of the\n        agency\xe2\x80\x99s information systems; and\n    \xe2\x80\xa2   ensure the information security plan is practiced throughout all life cycles of the agency\xe2\x80\x99s\n        information systems.\n\n       In addition, GISRA assigns the agency\xe2\x80\x99s CIO authority and responsibility to administer\nkey functions under the statute, including:\n\n    \xe2\x80\xa2   designating a senior agency information security official who shall report to the CIO;\n    \xe2\x80\xa2   developing and maintaining an agency-wide information security program;\n    \xe2\x80\xa2   ensuring that the agency effectively implements and maintains information security\n        policies, procedures, and control techniques; and\n    \xe2\x80\xa2   training and overseeing personnel with significant responsibilities for information\n        security.\n\n        Finally, in addition to a number of other provisions, GISRA requires each agency to have\nperformed an independent evaluation of its information security program and practices. The\nInspector General or the independent evaluator performing a review may use any audit,\nevaluation, or report relating to effectiveness of the agency\xe2\x80\x99s information security program to do\nso. The agency is required to submit the independent evaluation, along with its own assessment,\nto the Office of Management and Budget (OMB) as part of its annual budget request.\n\nOverview of the Department\xe2\x80\x99s Management Approach to Information Security\n\n        The Department provides an overview of its management approach to information\nsecurity in its FY 2001 Systems Security Program Plan (the Plan) issued in May 2001. The\nPlan\xe2\x80\x94the first developed by the CIO and issued to the Department\xe2\x80\x94was not revised to address\nrequirements resulting from GISRA\xe2\x80\x99s enactment in late 2000 and does not reflect more recent\nchanges and delegations of authority within the Department to meet GISRA requirements.\nHowever, the Plan establishes a baseline for the Department to build on in organizing its\ninformation security program. It identifies the authorities and fundamental principles guiding\nInformation Technology (IT) security in the Department, outlines the roles and responsibilities of\nthe Department\xe2\x80\x99s bureaus in the realm of IT, and briefly addresses the strategies for achieving\nand maintaining a desirable IT security posture for the Department. The Plan applies to all\nclassified, unclassified, and sensitive but unclassified systems throughout the Department, its\ndomestic bureaus, offices, annexes, and posts worldwide.\n\n      According to the Plan, three senior management officials have key roles in the\nimplementation and governance of security policy. Specifically:\n\n\xe2\x80\xa2   The Under Secretary for Management is responsible for the control of all management\n    resources, organizational structure, and assignment of functions within the Department.\n\n\xe2\x80\xa2   The CIO is the senior accountable official for IT security. The establishment of the CIO as\n    the focal point for IT security in the Department is intended to facilitate the life cycle\n    management of the Department\xe2\x80\x99s IT security program. This official is also the Designated\n\n                                                 3\n\x0c    Approving Authority responsible for making risk acceptance determinations for\n    information technology on behalf of the Department.1 Based on mission criticality, the\n    Designated Approving Authority may accept risk and grant either an approval to operate or\n    an interim approval to operate if the system does not meet requirements. Also, the CIO\n    promulgates IT security policy in concert with DS and oversees its implementation\n    throughout the Department.\n\n\xe2\x80\xa2   The Assistant Secretary for Diplomatic Security serves as the principal adviser to the\n    Secretary of State and the Under Secretary for Management on all security matters. DS is\n    responsible for defining threat levels relevant to IT assets and for developing IT security\n    policy and standards consistent with threat level, national policy, and the National Institute\n    for Standards and Technology\xe2\x80\x99s guidelines in conjunction with the CIO. Also, the DS\n    Deputy Assistant Secretary for Countermeasures and Information Security reports to the CIO\n    on all matters regarding information security.2\n\nAccording to the Plan, the CIO and DS need to work together to ensure that IT security is\nadequately developed and implemented throughout the Department.\n\nPURPOSE, SCOPE, AND METHODOLOGY\n\n         Section 3535 of GISRA directs each agency to conduct an annual independent evaluation\nof its information security program and practices beginning in FY 2001. In response to GISRA,\nOIG conducted a review with the specific objectives of: (1) identifying the Department\xe2\x80\x99s\npolicies and procedures for securing information on its information systems; and (2) determining\nif the Department is in compliance with GISRA with regard to establishing and ensuring the\neffectiveness of controls over information resources.\n\n         To fulfill our review objectives, we developed two data collection surveys, which we\nused to obtain general information about the Department\xe2\x80\x99s information security program. Our\nfirst survey determined the Department\xe2\x80\x99s universe of systems. We sent a questionnaire to all\nidentified system owners at the Department asking general information security questions. The\nowners were also asked to update the Department\xe2\x80\x99s list of information systems to the best of\ntheir knowledge. The second survey narrowed in on 16 major applications, facilities, and nodes3\nto the Department\xe2\x80\x99s infrastructure. Criteria for selection included: (1) mission criticality; (2)\nPresidential Decision Directive 63 identification;4 and, (3) documentation availability. The\n\n1\n  On August 20, 2001, the Deputy Secretary of State delegated the Designated Approving Authority responsibilities\nto the CIO.\n2\n  On August 20, 2001, the CIO designated the DS Deputy Assistant Secretary for Countermeasures and Information\nSecurity as the Senior Agency Information Security Official. The Senior Agency Information Security Official\nreports directly to the CIO regarding the implementation and maintenance of the Department\xe2\x80\x99s information security\nprogram and security policies.\n3\n  Node\xe2\x80\x94A system connected to a network.\n4\n  Presidential Decision Directive 63 established a national effort to ensure the security of the critical infrastructure of\nthe United States. Under this Directive, the Department of State is responsible for protecting those of its facilities,\npeople, and systems that it deems essential to the national critical infrastructure, and for being the Foreign Affairs\nLead Agency.\n\n\n                                                            4\n\x0cquestions in the questionnaire came directly from the National Institute of Standards and\nTechnology\xe2\x80\x99s Self-Assessment Guide for Information Technology Systems, which OIG edited to\ncover risk/vulnerability assessments, security controls, life cycle, certification and accreditation,\ninformation system security plans, personnel security, contingency plans, data integrity,\ndocumentation, and incident response capability. We interviewed the owners of the 16 systems\nto collect documentation regarding their information systems security program. We did not\nindependently verify the information collected from the two surveys.\n\n       To learn more about information system security at the Department, we reviewed OIG\nand DS inspection reports, the OIG Presidential Decision Directive 63 audit, and General\nAccounting Office reports on the Department. Our analysis grouped the recommendations in the\nOIG and DS inspections into five major categories to report on areas that need more attention at\nposts.\n\n        In the Department, we also interviewed officials in DS, the Foreign Service Institute, and\nthe Bureaus of Financial Management and Policy, Information Resource Management, Consular\nAffairs, and International Narcotics and Law Enforcement Affairs regarding their efforts for\nsecuring their information systems.\n\n        We did not test the Department\xe2\x80\x99s information security controls during this evaluation, but\ninstead relied on the results of previous OIG reviews, General Accounting Office reports, and DS\ninspections. Except as noted above regarding our use of data collection surveys, we followed\ngenerally accepted government auditing standards and conducted such tests and procedures as\nwere considered necessary for the assignment. We obtained written comments on a draft of this\nreport from the Department and revised the report where appropriate. The Department\xe2\x80\x99s\ncomments are included in Appendix A. Staff from our Information Technology Division\nperformed this evaluation from February 2001 through July 2001. Contributors to this report\nwere Frank Deffer, James Davies, Tim Fitzgerald, Robert Taylor, Anthony Carbone, Sharon\nHunter, Chris Watson, and Matthew Worner. Comments or questions about the report can be\ndirected to Mr. Deffer at defferf@state.gov or at (703) 284-2715 or to Mr. Davies at\ndaviesj@state.gov or at (703) 284-2673.\n\n\n\n\n                                                  5\n\x0cAUDIT FINDINGS\n\nDEPARTMENT INFORMATION SECURITY WEAKNESSES IDENTIFIED\nIN OIG AND DS EVALUATION REPORTS\n\n       OIG and DS evaluation reports in 1999 and 2000 identified information security\nweaknesses at the Department\xe2\x80\x99s overseas posts, as well as at headquarters in Washington, DC.\nSpecifically, OIG reported on information security readiness at 35 overseas posts and on the\nDepartment\xe2\x80\x99s progress in implementing its Critical Infrastructure Protection Plan under\nPresidential Decision Directive 63. DS conducted 54 evaluations on information security at\noverseas posts between January 1999 and November 2000.\n\nOIG Information Security Reports\n\n         In FYs 1999 and 2000, as part of its comprehensive security inspection efforts, OIG\nevaluated the information security programs and practices at 35 posts under the supervision of\none geographic bureau. OIG consolidated the results of these reviews in its classified May 2001\ncapping report (01-SEC-R-005). The results of the OIG inspections, as indicated in the capping\nreport, were mixed. OIG determined that 26 of the 35 posts inspected were adequately training\ntheir U.S. systems users. However, in terms of effective information security procedures, most\nof the posts fell short of Department standards. Specifically, only 10 posts had adequate (or\nbetter) information security procedures in place, 24 had minimal security procedures, and 1 was\ninadequate. OIG is currently following up on this report to determine the extent to which the\nproblems identified have been resolved.\n\n        OIG identified additional weaknesses in the Department\xe2\x80\x99s management of information\nsecurity in its June 2001 report5 on critical infrastructure protection. The report assesses the\nDepartment\xe2\x80\x99s progress in developing and implementing its cyber-based critical infrastructure\nprotection plan, as mandated by Presidential Decision Directive 63. Specifically, OIG reported\nthat the Department\xe2\x80\x99s:\n\n\xe2\x80\xa2   international outreach strategy is unnecessarily constrained, and, thus, does little to\n    encourage the development of preventative measures needed to enhance global critical\n    infrastructure protection;6\n\xe2\x80\xa2   critical infrastructure protection plan provided a suitable framework for addressing\n    minimum-essential infrastructure. However, the plan falls short because it does not address\n    potential cyber vulnerabilities in its foreign operations or in its interagency connections (i.e.,\n    such as between the Foreign Service National Payroll System and the Treasury Department);\n    and\n\xe2\x80\xa2   policies and programs concerning information security training awareness were not sufficient\n    to ensure that employees are properly trained to secure the agency\xe2\x80\x99s information systems.\n5\n  Critical Infrastructure Protection: The Department Can Enhance Its International Leadership and Its Own Cyber\nSecurity (Report Number 01-IT-R-044)\n6\n  The Bureau of International Narcotics and Law Enforcement had responsibility for the critical infrastructure\nprotection outreach strategy at the time of OIG\xe2\x80\x99s June 2001 report.\n\n                                                       6\n\x0c       The OIG report contains a number of recommendations to strengthen the Department\xe2\x80\x99s\napproach to critical infrastructure protection planning. The recommendations include:\n\n\xe2\x80\xa2   assessing the vulnerability of the Department\xe2\x80\x99s foreign operations to cyber-based disruptions;\n\xe2\x80\xa2   scheduling and conducting security controls evaluations of all minimum-essential cyber\n    infrastructures at least once every 3 years;\n\xe2\x80\xa2   strengthening information security training policies and procedures through changes to\n    appropriate sections of the Foreign Affairs Manual; and\n\xe2\x80\xa2   expanding the Department\xe2\x80\x99s international outreach approach to include a wide range of\n    friendly countries requesting such assistance.\n\nDS Information Security Reports\n\n        The Office of Information Security Technology in DS conducted 54 readiness\nevaluations on information security at overseas posts in 1999 and 2000. DS assessed the extent\nto which posts were complying with Department information security requirements in a number\nof key areas, including: (1) Security Program Planning and Management; (2) Access Controls\nEffectiveness; (3) Application Software: Installation, Development, and Storage; (4) Security of\nOperating System Software; and (5) Service Continuity Planning. The number of\nrecommendations in each category is shown in Table 1 below.\n                                      Table 1\n                          Summary of DS Computer Security\n                             Report Recommendations\n\n                    Recommendation\n                                                     Number of Recommendations\n                       Category\n                                               Unclassified    Classified    Combined\n\n              1. Security Program Planning\n                                                         149            16        165\n              and Management\n              2. Access Controls\n                                                         580           153        733\n              Effectiveness\n              3. Application Software:\n              Installation, Development, and              12            11         23\n              Storage\n              4. Security of Operating\n                                                          92            13        105\n              System Software\n\n              5. Service Continuity Planning             104            29        133\n\n                        TOTALS                           937           222       1159\n\n\n      Generally, DS reports on post information security readiness provide a mixed picture.\nDS made the fewest number of recommendations (23) in the area of Application Software:\n\n                                                 7\n\x0cInstallation, Development, and Storage, which suggests that posts were managing this area with\nrelatively few problems. DS made the largest number of recommendations in the area of Access\nControls, namely 733, or more than 63 percent of all the recommendations it developed in the\n2-year period. The specific problems DS found at posts in this evaluation area include:\n\n    \xe2\x80\xa2   (REDACTED) -------------------------------------------------------------------------------------\n    \xe2\x80\xa2   --------------------------------------------------------------------------------------------------------\n        --------------------------------------------------------------------------------------------------------\n    \xe2\x80\xa2   --------------------------------------------------------------------------------------------------------\n        --------------------------------------------------------------------------------------------------------\n    \xe2\x80\xa2   emergency power-off controls related to air conditioning in the computer rooms are\n        inaccessible or not installed; and\n    \xe2\x80\xa2   access privileges of each application user are not being reviewed by post supervisors\n        annually to verify that the privileges originally granted are still appropriate.\n\nAccording to DS, periodic compliance reviews of its reports have consistently shown that many\nof the reported issues are systemic in nature and require a change in culture of the Department\xe2\x80\x99s\nsystems management and users to be resolved. Further, the Assistant Secretary for DS reported\nto OIG that in order to bring about this change, and add a strong element of accountability across\nall levels of users, DS is developing strategies to allow senior management to interject\naccountability into the information systems operations and management.\n\nMIXED RESULTS FROM OIG\xe2\x80\x99S INFORMATION\nSECURITY MANAGEMENT QUESTIONNAIRE\n\n        OIG developed two data collection surveys that were used to determine general\ninformation about the Department\xe2\x80\x99s information security program. The purpose of the first\nquestionnaire was to identify the universe of systems operating throughout the Department and\nto obtain information on IT security plans, assessments, and determinations that are required by\nthe OMB guidance, prior information security laws, and also by GISRA. Specifically, our first\nquestionnaire included requests for information on the following:\n\n\xe2\x99\xa6   Risk assessments\xe2\x80\x94The identification and analysis of possible risks in meeting the agency\xe2\x80\x99s\n    objectives, which forms a basis for managing the risks identified and implementing\n    deterrents.\n\n\xe2\x99\xa6 Security level determinations\xe2\x80\x94Assessments that identify the specific security levels that\n  should be maintained for IT systems hardware, software, and the information maintained or\n  processed on systems.\n\n\xe2\x99\xa6 System security plan\xe2\x80\x94A written plan that clearly describes the entity\xe2\x80\x99s security program\n  and policies and procedures that support it. The plan and related policies should cover all\n  major systems and facilities and outline the duties of those who are responsible for\n  overseeing security as well as those who own, use, or rely on the entity\xe2\x80\x99s computer resources.\n\n\n\n                                                        8\n\x0c\xe2\x99\xa6   Certification and accreditation\xe2\x80\x94Attests that an information system meets documented\n    security requirements and will continue to maintain the approved security posture throughout\n    its life-cycle.\n\n\xe2\x99\xa6 Tests of security controls\xe2\x80\x94Assessments of controls designed to protect computer facilities,\n  computer systems, and data stored on computer systems or transmitted via computer\n  networks from loss, misuse, or unauthorized access.\n\n         According to our survey, the Department has 371 systems. Further, the survey indicates\nthere is significant room for improvement in information security management throughout the\nDepartment. As Table 2 below indicates, nearly 70 percent of systems were reported to have\nsecurity level determinations, only 10 percent were reported to have security plans, and just 5\npercent were reported to have been certified and accredited. See Appendix B for detailed survey\nresults.\n\n                                          Table 2\n                                Department Survey Results:\n                         Key Information Systems Security Elements\n\n\n                                        Department of State\xe2\x80\x94OIG\n                                       GISRA Questionnaire Results\n                                      Summary Totals (Total Systems 371)\n                                                            Number                 Percentage\n\n                   Systems with Risk Assessments\n                                                                      219              59%\n                   Systems with Security Level\n                                                                      256              69%\n                   Determinations\n                   Systems with Security Plans\n                                                                       38              10%\n                   Systems Certified and Accredited\n                                                                       18               5%\n                   Systems with Tested Security\n                                                                      162              44%\n                   Controls\n\n\n        Our second questionnaire focused on 15 of the Department\xe2\x80\x99s 83 mission-critical systems\nand 1 mission-critical asset (the Beltsville Information Management Center, SA-26).7 We\nselected these systems based on the guidance from the Critical Infrastructure Assurance Office\nand related assessments. Specifically, our questions covered risk/vulnerability assessments,\nsecurity level determinations, system security plans, certification and accreditation, and system\n\n7\n  Responses to OIG\xe2\x80\x99s first questionnaire reported 83 mission-critical systems out of the total of 371 systems\nidentified.\n\n                                                          9\n\x0csecurity controls. Also, in our second questionnaire, we asked about personnel security,\ncontingency plans, virus detection practices, hardware and software documentation, and incident\nresponse capability.\n\n       Overall, OIG\xe2\x80\x99s second survey questionnaire results were mixed. As shown in Table 3\nbelow, while 75 percent of the systems reported having done a risk assessment, only 13 percent\nreported having a security plan in place, 44 percent reported that they had tested security\ncontrols, and only 31 percent reported that they had been certified and accredited.\n\n                                               Table 3\n                               Mission-Critical System Survey Results\n\n                                                Security                                Tested\n                                     Risk                   Security   Certified and\n                                                  Level                                Security\n                                  Assessment                 Plans      Accredited\n                                               Determined                              Controls\n\n    American Citizen Services        Yes          Yes         No            No           No\n    CableXpress                      Yes          Yes         No            No           No\n\n    Classified Network               No           No          No            No           No\n    Consular Lookout and\n    Support System -                 Yes          No          No            No           No\n    Enhanced\n    Electronic Certification\n                                     Yes          Yes         Yes          Yes           Yes\n    System\n    Foreign Service National\n                                     No           No          No            No           No\n    Payroll System\n    Guard                            Yes          Yes         No           Yes           Yes\n    INS Allocation\n                                     Yes          No          No            No           No\n    Management System\n    Intelligence Research\n                                     Yes          Yes         No           Yes           Yes\n    Information System\n    International Narcotics and\n                                     Yes          Yes         Yes          Yes           Yes\n    Law Enforcement System\n    Open Sensitive but\n    Unclassified Intra-              Yes          No          No            No           No\n    Network\n    Overseas Financial\n                                     No           No          No            No           No\n    Management System\n    Overseas Security\n    Advisory Council                 Yes          Yes         No            No           Yes\n    Electronic Database\n    Principal Officers\n    Executive Management             Yes          Yes         No            No           Yes\n    System\n    State Annex 26                   Yes          Yes         No           Yes           Yes\n    State Transportation and\n                                     No           No          No            No           No\n    Tracking System\n           TOTAL YES\n                                    75%           56%        13%           31%          44%\n         (PERCENTAGE)\n\n\n\n\n                                                    10\n\x0c       On a more positive note, Table 4 below shows that 100 percent of the systems reported\nhaving an incident response capability, 94 percent reported an active virus detection program, 88\npercent reported having necessary hardware and software documentation, and 69 percent were\nreported to have accurate position security reviews.\n\n                                               Table 4\n                               Mission-Critical System Survey Results\n\n                                  Accurate\n                                               Contingency    Automatic   Hardware and     Incident\n                                  Security\n                                               Plans Tested     Virus       Software      Response\n                                  Position\n                                               and Updated    Detection   Documentation   Capability\n                                 Description\n\n   American Citizen Services        Yes            No           Yes           Yes            Yes\n   CableXpress                       No            No           Yes           Yes            Yes\n\n   Classified Network               Yes            No           Yes           Yes            Yes\n   Consular Lookout and\n   Support System -                 Yes            Yes          Yes           Yes            Yes\n   Enhanced\n   Electronic Certification\n                                    Yes            No           Yes           Yes            Yes\n   System\n   Foreign Service National\n                                    Yes            No           Yes           Yes            Yes\n   Payroll System\n   Guard                            Yes            No            No           Yes            Yes\n   INS Allocation\n                                    Yes            No           Yes           Yes            Yes\n   Management System\n   Intelligence Research\n                                     No            No           Yes           Yes            Yes\n   Information System\n   International Narcotics and\n                                    Yes            Yes          Yes           Yes            Yes\n   Law Enforcement System\n   Open Sensitive but\n   Unclassified Intra-              Yes            No           Yes            No            Yes\n   Network\n   Overseas Financial\n                                    Yes            No           Yes           Yes            Yes\n   Management System\n   Overseas Security\n   Advisory Council                  No            Yes          Yes           Yes            Yes\n   Electronic Database\n   Principal Officers\n   Executive Management              No            Yes          Yes           Yes            Yes\n   System\n   State Annex 26                   Yes            No           Yes           Yes            Yes\n   State Transportation and\n                                     No            No           Yes            No            Yes\n   Tracking System\n          TOTAL YES\n                                    69%           25%           94%           88%           100%\n        (PERCENTAGE)\n\n\n\nRecommendation 1: We recommend that the Chief Information Officer in coordination with\nthe Bureau of Diplomatic Security develop a strategy and timetable for ensuring that all of the\nDepartment\xe2\x80\x99s systems/applications address each of the key system security elements identified in\n\n                                                         11\n\x0cthe tables above. This strategy and timetable should be completed by October 15, 2001, in order\nfor it to be included in the Department\xe2\x80\x99s information security remediation plan, which is due to\nthe Office of Management and Budget by October 31, 2001.\n\nPROGRESS MADE IN THE DEPARTMENT\xe2\x80\x99S REASSESSMENT OF INFORMATION\nSECURITY ROLES AND RESPONSIBILITIES\n\n        Managing the increased risks associated with a highly interconnected computing\nenvironment demands increased central coordination to ensure that weaknesses in one part of the\norganization do not place the entire organization\xe2\x80\x99s information assets at undue risk. Further,\ncentralized information security management can help ensure that: (1) information security risks\nare considered in both planned and ongoing operations; and (2) senior management is fully\ninformed about security-related issues and activities affecting the organization. Toward that end,\nGISRA establishes the agency\xe2\x80\x99s CIO as the central management focal point for information\nsecurity activities. In addition to modifying existing requirements, GISRA adds new\nrequirements to the Department\xe2\x80\x99s information security programs\xe2\x80\x94all of which require a\nreappraisal of information security management throughout the agency. The Department has\nmade progress in assessing information security roles and responsibilities, and has taken action\nto meet GISRA requirements; however, a number of details remain to be worked out to ensure\nfull and effective implementation of the law.\n\n        In mid-August 2001, OIG provided the Department a draft of this report, which discussed\nits concern that the Department\xe2\x80\x99s senior leadership had not agreed on what functional and\norganizational changes need to be made to comply with the law. OIG recommended that the\nUnder Secretary for Management assess the Department\xe2\x80\x99s organizational structure for managing\ninformation security and identify the changes needed to comply with GISRA. In response to the\nissues raised in the draft report, the Under Secretary for Management promptly reassessed the\nrelative senior management roles and responsibilities of IRM and DS in managing information\nsecurity and directed actions consistent with GISRA requirements. Subsequently, on August 20,\n2001, the Department took the following key steps:\n\n\xe2\x80\xa2   The Deputy Secretary issued a Delegation of Authority to the CIO empowering him to\n    administer the Department\xe2\x80\x99s information security program;\n\xe2\x80\xa2   The CIO designated the Deputy Assistant Secretary for Countermeasures and Information\n    Security as Senior Agency Information Security Official. This official will report directly to\n    the CIO regarding the implementation and maintenance of the Department\xe2\x80\x99s information\n    security program and security policies; and\n\xe2\x80\xa2   The Under Secretary for Management designated the CIO as the designated approving\n    authority, responsible for making risk acceptance determinations for information technology\n    on behalf of the Department.\n\nThe Department believes that these actions will resolve the issues raised in OIG\xe2\x80\x99s draft report\nregarding the agency\xe2\x80\x99s information security program. The Department also recognizes that\nfurther details implementing the new organizational arrangement remain to be worked out.\n\n\n\n                                                12\n\x0c         The Department\xe2\x80\x99s current operating approach to information security roles and\nresponsibilities grew out of its response to a May 1998 General Accounting Office report8 that\noutlined major information security weaknesses in the Department. The General Accounting\nOffice recommended that the Department establish a central information security unit to\nfacilitate, coordinate, and oversee information security in the Department. In January 2000, the\nUnder Secretary for Management issued a memorandum that: (1) named IRM as the authority\nfor the Department\xe2\x80\x99s information security program; and (2) designated DS as responsible for\ndeveloping information security policy, with promulgating authority held jointly by DS and\nIRM. Further, the memorandum laid out agreed-upon roles and responsibilities for DS and IRM\nin four areas: IT security policy and implementation; information security awareness;\nmonitoring and evaluation; and risk assessments. This memorandum was superseded on August\n20, 2001, by the Deputy Secretary of State\xe2\x80\x99s delegation to the CIO of the authority to administer\nall functions under GISRA.\n\n         Under GISRA, many of the existing roles and responsibilities regarding information\nsecurity management remain unchanged. For example, DS will continue to: provide worldwide\ncomputer security support; provide computer security training for security officers and systems\nstaff; and act in an advisory capacity to the CIO on IT security issues. IRM will continue its\nvirus protection role and operational monitoring of Department networks. However, the law and\nthe recent delegation of authority to the CIO significantly expand the role of the CIO in\nmanaging the Department\xe2\x80\x99s information security program. With the reporting relationship now\nestablished between the DS Deputy Assistant Secretary for Countermeasures and Information\nSecurity and the CIO, relative roles and responsibilities are being institutionalized. Specifically\nin line with GISRA requirements, the CIO now has the delegated authority to administer all\ninformation security functions, including:\n\n\xe2\x80\xa2   designating a senior agency information security official who shall report to the CIO;\n\xe2\x80\xa2   developing and maintaining an agency-wide information security program;\n\xe2\x80\xa2   ensuring that the agency effectively implements and maintains information security policies,\n    procedures, and control techniques;\n\xe2\x80\xa2   training and overseeing personnel with significant responsibilities for information security;\n    and\n\xe2\x80\xa2   assisting senior agency officials concerning information security aspects of their respective\n    program areas.\n\nThe CIO\xe2\x80\x99s new role establishes the central management focus on information security that is\nrequired by the law and puts the Department in a better posture to protect its information\ntechnology assets from security risks.\n\n       These new CIO responsibilities may necessitate additional organizational changes within\nthe Department as demonstrated by the CIO\xe2\x80\x99s designation of the DS Deputy Assistant Secretary\nfor Countermeasures and Information Security to be the Department\xe2\x80\x99s Senior Agency\nInformation Security Official. This designation requires the incumbent DS Deputy Assistant\n\n8\n Computer Security: Pervasive, Serious Weaknesses Jeopardize State Department Operations, GAO/AIMD-98-\n145, May 1998.\n\n                                                   13\n\x0cSecretary to report directly to the CIO regarding the implementation and maintenance of the\nDepartment\xe2\x80\x99s information security program and security policies. These newly-created, cross-\nbureau responsibilities may require a reallocation of information security resources to support the\nCIO. For example, the requirement that the CIO have responsibility for developing and\nmaintaining the Department\xe2\x80\x99s information security program may require the transfer of specific\npolicy and planning resources from DS to IRM.\n\nRecommendation 2: We recommend that the Under Secretary for Management ensure that the\nBureaus of Information Resource Management and Diplomatic Security resolve any remaining\nissues regarding the establishment of the Chief Information Officer as the Department\xe2\x80\x99s central\nmanagement focal point for information security and the appointment of a Senior Agency\nInformation Security Official. This effort should include an assessment of both the resources\nand the reporting structure needed to support the newly-delegated Chief Information Officer\nauthorities and responsibilities. This completed effort should be included in the Department\xe2\x80\x99s\ninformation security remediation plan, which is due to the Office of Management and Budget by\nOctober 31, 2001.\n\nDepartment Response\n\n        In commenting on a draft of this report (see Appendix A), the Department states that it\nhas assessed its organization and made determinations that will resolve the issues raised in the\nreport regarding the Department\xe2\x80\x99s information security program. The Department cites its recent\nactions (discussed above) as evidence that the Department is now complying with GISRA.\nFurther, the Department states in its comments that it does not agree that Recommendation 2\nshould remain in the report.\n\nOIG Comment\n\n        We agree that the Department\xe2\x80\x99s recent actions to assign roles and responsibilities over its\ninformation security program represent significant progress toward GISRA compliance, and we\nhave revised our draft report accordingly. We also agree that Recommendation 2 should not\nremain as it was originally drafted; however, there are a number of significant details that need to\nbe addressed in order fully to implement the recommended changes to the agency\xe2\x80\x99s information\nsecurity program. For example, the Department needs to determine the extent to which\norganizational resources may need to be transferred between DS and IRM, as a result of GISRA\nrequirements. Further, the Department needs to assess how the specific DS and IRM roles and\nresponsibilities established by the January 2000 memorandum need to be revised in order to\ncomply with GISRA. In its response to our draft report, the Department acknowledges that\nfurther details need to be worked out and it pledges to complete that work within 30 days.\nBecause of these outstanding issues related to the Department\xe2\x80\x99s efforts to implement GISRA, we\nhave revised Recommendation 2 to reflect the need for the Under Secretary for Management to\ncontinue his oversight of DS and IRM efforts to resolve these issues by October 31, 2001.\n\n\n\n\n                                                14\n\x0cINFORMATION SECURITY TRAINING\n\n         Training is a key element in reducing risk and enhancing the Department\xe2\x80\x99s risk-based\nmanagement approach for IT security. The Department of State\xe2\x80\x99s FY 2001 Systems Security\nProgram Plan recognizes the importance of training and notes that the most comprehensive and\nlogical IT security program will prove ineffective in the absence of adequate and regularly\nscheduled education and awareness efforts. It goes on to state that education and awareness\nefforts ensure that users, IT professionals, managers, and senior executives understand and\nappreciate both the complexity of this discipline and also its unique contribution to the success of\noverall IT security efforts. We found that the Department conducts information security training\nat all user levels, carries out an aggressive awareness program, and supports a complete range of\ncomputer-based training tools. As shown in Table 5 below, DS has provided training to more\nthan 13,000 employees in the past 3 years to support information assurance and security.\n\n                                  Table 5\n                         EMPLOYEES TRAINED BY DS:\n            IN SUPPORT OF INFORMATION ASSURANCE AND SECURITY\n\n\n                                Domestic      Overseas      Executive     Totals\n                                End Users     End Users    Management\n\n                   FY1999         2232          1638           778         4648\n                   FY2000         2481          1820           865         5166\n                   FY2001         1861          1315           649         3825\n\n                    Total number of personnel trained in FY 1999-2001     13,639\n\n\n\n        However, the results of our evaluation show that adjustments in training curriculum could\nfurther improve the Department\xe2\x80\x99s training program and thereby reduce additional risk through\nbetter understanding and awareness. For example, we were informed that inclusion of IT\nsecurity in the Department\xe2\x80\x99s Managing State Projects curriculum would require minor revision\nthat would improve the Department\xe2\x80\x99s management of information systems security projects. All\nDepartment project managers are encouraged to take this 5-day intensive workshop, which,\naccording to the Foreign Service Institute course guide, provides a solid entry into the field of\nproject management.\n\nCIO NEEDS TO DEVELOP INFORMATION SECURITY\nPERFORMANCE MEASURES\n\n        OIG found that the Department has not developed information security performance\nmeasures to support strategic goals\xe2\x80\x94key requirements of both the Government Performance and\nResults Act and GISRA. Two important Government Performance and Results Act factors in\nestablishing measures are that each performance measure should be an indicator mainly used by\nmanagers as they direct and oversee how a program is carried out, and should help managers\nrespond when problems arise. Without meaningful and measurable performance measures, the\n\n                                                 15\n\x0cDepartment will be unable to assess the adequacy and effectiveness of information security\npolicies and procedures effectively; further, it will be hindered in its efforts to implement a\nresults-based information security management program.\n\n        In response to a draft of this report, the Under Secretary for Management\xe2\x80\x99s office has\ndirected that IRM and DS incorporate Government Performance and Results Act requirements\ninto their GISRA compliance efforts. According to the executive assistant to the Under\nSecretary for Management, information security performance measures are to be established\nprior to October 15, 2001.\n\nRecommendation 3: We recommend that the Chief Information Officer ensure that program\nmanagers develop and use Government Performance and Results Act and Government\nInformation Security Reform Act performance measures in support of the Department\xe2\x80\x99s\ninformation systems security program.\n\n\n\n\n                                                 16\n\x0cBureau of\nPopulations,\n                          2      0    0%      0        0%    0    0%    0    0%    0    0%\nRefugees, and\nMigrations\nOffice of the Secretary   75    75    100%   75    100%      0    0%    0    0%   74    99%\nTotals                    370   219   59%    256       69%   38   10%   18   5%   162   44%\n\n\n\n\n                                                   3\n\x0c\x0c\x0c\x0c'